[gin-auth] Are we done ?

[Dane Skow]

In reviewing the status of this group for others recently, I've been  
pondering where we are and what next for interoperation in  
authorization/authentication infrastructure. The slides presented at  
GGF18 are available at http://forge.gridforum.org/sf/tracker/do/ 
viewArtifact/projects.gin/tracker.draftplans2006/artf5584? 
nav=1&selectedTab=attachments

I'd like to see what this group thinks regards what we should be  
doing next.

We defined Phase 1 GIN interoperation as the following agreements:

1) RFC 3820 proxies would be the identity/authentication vehicles for  
interoperation.

2) VOMS proxy extensions would be the common denominator for  
conveying authorization attributes.

3) IGTF CA accreditation would establish the common set of sources of  
certificates.

4) Delegation would be supported by GSI delegation for pre-WS GRAM/ 
GridFTP. A common WS-Delegation would be supported for WS interfaces.

5) We established a naming conventions for VOs and established a  
bootstrap VOMS service for newcomers to test interoperation.

In my opinion, I see the following status:

1) has been accomplished. I'm not sure all proxies in use these days  
are RFC 3820 compliant, but the move is clearly that way and most  
code properly handles the earlier versions so interoperation hasn't  
been a problem.

2) has been used effectively by multiple grids and the specification  
of the extensions has been documented (has that spec been published  
actually ?). The use of attributes to date as far as I know, has been  
to map a single individual in different roles to different execution  
environments (e.g. accounts) from a pre-loaded map. Dynamic mapping  
of groups (without requiring pre-registration) has not been deployed  
in practice yet, but there are no technical obstacles.

3) What problems there have been in recognition of credentials have  
been in cases where the credentials come from a non-IGTF CA. There is  
interest in other groups of certificate authorities, but none  
pressing for production grid use a this time, in this community.

4) seems to be working well enough for the pre-WS GRAM and GridFTP  
interoperation to date. It is not clear to me there is a consensus  
yet on the WS delegation definition/implementation. Perhaps we should  
run a survey/test here as the deployment and use of WS services grows.

5) the bootstrap service is operational and has been useful for  
testing and getting started. I don't believe the naming convention  
agreement has had any impact on the production VOs, but there does  
not appear to yet be any problem with name collisions in production.

Looking forward, are there other things that we should be pursuing at  
this time ? I think it appropriate for GIN groups to restrict  
themselves to issues that are current or imminent interoperation  
issues and targetted at production services (lest we end up creating  
yet another design group).

The mailing list has been rather quiet lately and I confess that I've  
been consistently distracted by my "day job" as well. If there were  
someone interested in stepping forward to lead an agenda for a Phase  
II, then I would be glad to pass the baton. Alternately, we could  
declare our work done for this phase and go dormant pending needs for  
resurrecting in a later phase. The list has value as a communications  
channel among specialists in the area across the grids, so I would  
not advocate shutting down the list even should we decide that the  
charge of the group has been accomplished.

What do folks think ?
Dane